|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
PF proto if not ! and table script question.
After a few days of searching "and utterly failing at it" I figured I would post my question here.
I was wondering if anyone knew if the 'if not' ! option or similar exists for the proto/protocol field. I've tried most of the iterations I could think of with no luck. I've also been searching for a clean script capable of reading /var/log/pflog and adding any inbound blocks to a table. Thus far I've only seen one and while its brilliant, it seemed overly complex. I'm a bit of a minimalist and my gut is telling me there's a simpler solution. Info: Currently running a minimal install of 5.7 as a perimeter firewall. 0 additional packages installed, the goal is to keep the system 100% clean. The pf only allows 1 proto, 1 port and traffic to and from the external vpn. Any info would be greatly appreciated. Thanks |
|
||||
Hello, and welcome!
The protocol field does not have the "!" option. See the GRAMMAR section of pf.conf(5) for details. I have never used pflog records to programmatically revise tables. Instead, I've either used PF's stateful tracking options or I've used divert(4) to add addresses to tables. Can you describe what you intend? There may be a built-in solution. |
|
|||
Thanks for the fast response and the links m8.
The reason for the script would be to permanently add any inbound connection attempts to a table, run the .sh as a cron frequently and reload pf. If there's a way to do this without reading the pflog or using proxy state and allowing a handshake any info would be appreciated I'm running a block all / whitelist setup so a block table really isn't required. But having a <blockedip> table with log off would help quiet things down. -I'm on a noisy network. Thanks again. |
|
|||
If you don't want the noise of blocked incomming connections in the log, then why are you logging it?
If you have a whitelist of allowed IPs, just add those to a table and log if they are in that table so you can debug connection problems for the whitelisted IPs. Pf's overload system can probably be made to do what you want, though. Peter's pf presentation talks about it as "bruteforce" protection. |
|
||||
pflog(4) is intended for analysis and debugging. The two other table manipulation methods mentioned -- stateful tracking, and divert(4) -- are designed for dynamic traffic management.
See Stateful Tracking Options in the PF User's Guide. --- |
|
|||
Quote:
More often than not the same ip 'usually a bot' frequently rescans the same ports. Filling the logs up with clutter. Using a script to scan the log file for specific things then add them to a non-logged block list would reduce the noise. Quote:
Quote:
The divert option would be nice for a webserver type of setup. However normally in that situation I would only allow inbound to the "changed" ssh port from my ip or subnet + with OS options. But as this is a perimeter firewall no inbound is required on the wan. I'm also not a huge fan of using mass block lists as they are often not updated quickly / become stale. Thus you end up blocking ip's that are no longer assigned to the compromised system. And unfortunately they will never stop anyone that actually wants in, just some bots. We used to use Suricata for this while running 3 custom rules that dropped/alerted all ipv4/ipv6. Then had any alert created by those rules added to the block list. We then used a simple whitelist so no alerts were made for the wan/lan/vpn ip's. Once the ip was in the block list it was no longer logged by the system firewall. When pen testing this helped a lot in dos situations as logging alone can hit the system hard. The above system was on pfsense. But I really don't like the direction its heading. Thus I was hoping to replicate such a system running on a pure OpenBSD setup. Why not make use of the godly auditing -I'll read more about overload and keep hunting around. Thanks for the links. |
|
|||
Quote:
In any case have a functioning script. Thanks. -Solved |
|
||||
My apologies -- I did not mean to offend you. It was a poor choice of words to state that based on my understanding of the information provided, it did not appear *technically* necessary.
I'm sorry. I used a word which may have negative connotations, but did not intend anything negative by it. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
attacks are not being added to the pf table | Daffy | OpenBSD Security | 4 | 21st October 2011 04:03 PM |
why won't my table work? | tomp | OpenBSD Security | 3 | 25th August 2011 12:23 PM |
match vs pass (changes in 4.7), and inet vs inet proto | mikesg | OpenBSD Security | 4 | 12th June 2010 02:35 AM |
I think I just mangled my partition table | Mantazz | FreeBSD Installation and Upgrading | 2 | 2nd July 2009 09:55 PM |
Quick question about PHP script | 18Googol2 | Programming | 2 | 21st September 2008 05:33 AM |